SnapGear 2.0.1 инструкция обслуживания

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189

Идти на страницу of

Хорошее руководство по эксплуатации

Законодательство обязывает продавца передать покупателю, вместе с товаром, руководство по эксплуатации SnapGear 2.0.1. Отсутствие инструкции либо неправильная информация, переданная потребителю, составляют основание для рекламации в связи с несоответствием устройства с договором. В законодательстве допускается предоставлении руководства в другой, чем бумажная форме, что, в последнее время, часто используется, предоставляя графическую или электронную форму инструкции SnapGear 2.0.1 или обучающее видео для пользователей. Условием остается четкая и понятная форма.

Что такое руководство?

Слово происходит от латинского "instructio", тоесть привести в порядок. Следовательно в инструкции SnapGear 2.0.1 можно найти описание этапов поведения. Цель инструкции заключается в облегчении запуска, использования оборудования либо выполнения определенной деятельности. Инструкция является набором информации о предмете/услуге, подсказкой.

К сожалению немного пользователей находит время для чтения инструкций SnapGear 2.0.1, и хорошая инструкция позволяет не только узнать ряд дополнительных функций приобретенного устройства, но и позволяет избежать возникновения большинства поломок.

Из чего должно состоять идеальное руководство по эксплуатации?

Прежде всего в инструкции SnapGear 2.0.1 должна находится:
- информация относительно технических данных устройства SnapGear 2.0.1
- название производителя и год производства оборудования SnapGear 2.0.1
- правила обслуживания, настройки и ухода за оборудованием SnapGear 2.0.1
- знаки безопасности и сертификаты, подтверждающие соответствие стандартам

Почему мы не читаем инструкций?

Как правило из-за нехватки времени и уверенности в отдельных функциональностях приобретенных устройств. К сожалению само подсоединение и запуск SnapGear 2.0.1 это слишком мало. Инструкция заключает ряд отдельных указаний, касающихся функциональности, принципов безопасности, способов ухода (даже то, какие средства стоит использовать), возможных поломок SnapGear 2.0.1 и способов решения проблем, возникающих во время использования. И наконец то, в инструкции можно найти адресные данные сайта SnapGear, в случае отсутствия эффективности предлагаемых решений. Сейчас очень большой популярностью пользуются инструкции в форме интересных анимаций или видео материалов, которое лучше, чем брошюра воспринимаются пользователем. Такой вид инструкции позволяет пользователю просмотреть весь фильм, не пропуская спецификацию и сложные технические описания SnapGear 2.0.1, как это часто бывает в случае бумажной версии.

Почему стоит читать инструкции?

Прежде всего здесь мы найдем ответы касательно конструкции, возможностей устройства SnapGear 2.0.1, использования отдельных аксессуаров и ряд информации, позволяющей вполне использовать все функции и упрощения.

После удачной покупки оборудования/устройства стоит посвятить несколько минут для ознакомления с каждой частью инструкции SnapGear 2.0.1. Сейчас их старательно готовят или переводят, чтобы они были не только понятными для пользователя, но и чтобы выполняли свою основную информационно-поддерживающую функцию.

Содержание руководства

  • Страница 1

    CyberGuard SG  Firewall V PN Applian ce User Manua l Revision 2.0.1 June 7, 2004 CyberGuard 7984 South W elby Park Drive #10 1 Salt Lake City, Uta h 84084 Email: suppo rt@snapgear.com Web: www.c yberguard.com[...]

  • Страница 2

    Contents 1. Introduction ............................................................................................... 1 CyberGuard SG Gateway Appli a n c es ................................................................... 1 CyberGuard SG PCI Appli a n c es ........................................................................... 2 Document [...]

  • Страница 3

    4. Dialin Setup ............................................................................................. 52 Dialin Setup ......................................................................................................... 53 Dialin User Accounts ........................................................................................... 55[...]

  • Страница 4

    10. System ................................................................................................... 159 Date and Time ................................................................................................... 159 Users ...............................................................................................................[...]

  • Страница 5

    Introductio n 1 1. Introduction This chap ter provides an overview of your Cyber Guard SG appli ance’s features an d capabilities , and explains ho w to install and c onfigure your CyberGuard SG applianc e. This manual describes how to ta ke advantage of the features of your CyberGuard SG appliance , including setting up n etwork connec tions, a [...]

  • Страница 6

    Introductio n 2 The following figure shows how you r CyberGuar d SG appliance i nterconnects. Figure 1-1 CyberGuard SG PCI Appliances The CyberGua rd SG PCI applia nce (SG630, SG635) is a hardware-bas ed firewall and VPN server emb edded in a 10/1 00 Ethernet PCI ne twork interface c ard (NIC). It is installed int o the host PC like a regular NIC, [...]

  • Страница 7

    Introductio n 3 This approac h offers an increa sed measure of protection against internal threats as well as conventiona l Internet securi ty concerns. You can update, configur e and monitor the firewall and VPN connectivity of a workstation or server from any web browser. In th e event of a brea ch, you have compl ete control over individual PCs&[...]

  • Страница 8

    Introductio n 4 Document Conventions This docu ment uses differen t fonts and typeface s to show speci fic actions. Warning/Not e Text like thi s highlights important issues. Bold text in p rocedures indic ates text that you typ e, or the name of a s creen object (e.g. a menu or butt on).[...]

  • Страница 9

    Introductio n 5 Your CyberGuard SG Gateway Appliance CyberGuard SG gateway appli ances include : • SG300 • SG530 • SG550 • SG570 • SG575 The following items are include d with your CyberGua rd SG gateway app liance: • Power adaptor • Installation CD • Printed Quick Install guide • Cabling inc luding o 1 normal stra ight through UT[...]

  • Страница 10

    Introductio n 6 Note Not all the LEDs described belo w are present on al l CyberGuard SG ap pliance models . Also, labels va ry from model to model. Label Activity Description Power On Power is sup plied to the Cyber Guard SG applia nce Flashing The CyberGua rd SG applianc e is operating correc tly Heart Beat On If this LED is o n and not flashi ng[...]

  • Страница 11

    Introductio n 7 CyberGuard SG Gateway Appliance Fea tures Internet link featur es • 10/100baseT E thernet port (Inte rnet/WAN) • Serial port • Front panel se rial status LEDs (for TX/RX) • Online status LEDs (for Internet /VPN) • Rear panel Et hernet link and a ctivity status LEDs LAN link features • 10/100Base T LAN port • 10/100Base[...]

  • Страница 12

    Introductio n 8 Your CyberGuard SG PCI Appliance CyberGuard SG PCI applianc es include: • PCI630 • PCI635 The following items are include d with your CyberGua rd SG PCI appl iance: • Installation CD • Printed Quick Install guide LEDs The rear pan el contains LEDs in dicating status . The two LEDs clo sest to the network port are netwo rk ac[...]

  • Страница 13

    Introductio n 9 CyberGuard SG PCI Appliance Features Network link features • 10/100baseT E thernet port • Ethernet LEDs (link, activity) Environmental featur es • Status LEDs: Power, Heart Bea t • Operating temp erature between 0 ° C and 40° C • Storage temp erature between -20° C and 7 0° C • Humidity betwe en 0 to 95% (no n-conden[...]

  • Страница 14

    Getting Started 10 2. Getting S t arted This chap ter provides step-by-ste p instructions for i nstalling your Cyber Guard SG appliance into your network an d connecting to the Internet. This is a slightly more detailed vers ion of the printed Quick Install Gui de that shipped with your CyberGuard SG appliance. These ins tructions assume you ha ve [...]

  • Страница 15

    Getting Started 11 CyberGuard SG Gateway Appliances Set up a PC to Connect to the Web Management C onsole The CyberGua rd SG applianc e ships with initial, st atic IP settings of: IP address: 192.168.0.1 Subnet mask: 255.255.25 5.0 Note The Internet/ WAN and DMZ int erfaces are by default inactive, i.e . there are no netwo rk services su ch as DHCP[...]

  • Страница 16

    Getting Started 12 Connect the su pplied power adapte r to the CyberGuard SG applianc e. If you are usi ng the SG530, SG550 , SG570 or SG575 model, conne ct the CyberGuard SG appliance ’s LAN Ethernet port directly to your PC’ s network inte rface card using the crossover cab le (red or gray). If you are usi ng the SG300 model , connect your PC[...]

  • Страница 17

    Getting Started 13 Next, you mus t modify your PC’s network settin gs to enable it to commun icate with the CyberGuard SG a ppliance. Click Start -> Settings -> Control Panel and doub le click Netwo rk Connections (or in 95/98/Me, dou ble click Netwo rk ). Right click on Local Area Connectio n and select Prop erties . Note If there is mo re[...]

  • Страница 18

    Getting Started 14 Select Use th e following IP addre ss and enter the fo llowing details: IP address: 192.168.0.100 Subnet mask: 255.255.255.0 Default gateway: 192.168.0.1 Select Use the following DNS server addresses and enter: P r e f e r r e d D N S s e r v e r : 192.168.0.1 Note If you wish to retain your exis ting IP settings f or this networ[...]

  • Страница 19

    Getting Started 15 Select Quick Setup Wizard from t he center of the pa ge. You will be pro mpted to log in. Enter the initial user n ame and passwor d for your CyberGuard SG a ppliance: User name: root Password: default Note If you are u nable to connect to the Management Con sole at 192.168. 0.1, or the initial username and password are not accep[...]

  • Страница 20

    Getting Started 16 The Quick Se tup Wizard will d isplay. Figure 2-3 Hostname: You may change th e name the CyberGuard SG appliance knows itself by. This is not gen erally necessa ry. Manual configu ration: Select th is to manually spec ify your CyberGuar d SG appliance’ s LAN connect ion settings. Skip: LAN al ready configured: Select this if yo[...]

  • Страница 21

    Getting Started 17 Figure 2-4 Note This page will only display if yo u previously sel ected Manual config uration . Otherwis e skip to the next step. Enter an IP ad dress and Subnet mask for your CyberGuard SG appliance’s LAN connectio n. You may choose to use the CyberGuard SG applianc e’s initial network settings if you are sure no other PC o[...]

  • Страница 22

    Getting Started 18 Set up Internet Connection Settings Select your In ternet connectio n type and click Ne xt . Figure 2-5 Cable modem If connecti ng using a cable mo dem, select the appropriate ISP. Cho ose Generic c able modem provid er if unsure. Analog modem If connecti ng using a regular analog modem, ent er the details pro vided by your ISP. [...]

  • Страница 23

    Getting Started 19 Note For detailed help for each of the se options, ple ase refer to the the c hapter entitled Network Con nections . Once the Cyb erGuard SG appli ance’s Internet connection has be en set up, click Ne xt , select Reboot and click Next aga in. Set up the PCs on your LAN to Acc ess the Internet Note If you have changed the CyberG[...]

  • Страница 24

    Getting Started 20 LAN with a DHCP serv er Add a lease to your existing DHCP s erver to reserve the IP address yo u chose in STEP 3 for the Cyber Guard SG applia nce’s LAN connect ion. If you chose to set the CyberGuard S G appliance’s LAN connection s ettings using Manual configu ration , you may simp ly remove this address from the po ol of a[...]

  • Страница 25

    Getting Started 21 To manually s et up each Windo ws PC on your ne twork: Click Start -> Settings -> Control Panel and dou ble click Netwo rk Connections ( or in 95/98/Me, doub le click Network ). If presented with multiple connec tions, right click on L ocal Area Connect ion (or appropriate ne twork connection ) and select Properties . Selec[...]

  • Страница 26

    Getting Started 22 Alternatively, to activate your Cybe rGuard SG applian ce's DHCP server: Launch Inte rnet Explorer (or your pr eferred web brows er) and navigate to the IP address of the CyberGuard SG app liance’s LAN co nnection. The Web Mana gement Console will display. Select DHCP Serv er from the Netw orking menu. Click Add Se rver an[...]

  • Страница 27

    Getting Started 23 Select Intern et Protocol (TCP/I P) and click P roperties (or in 95 /98/Me, TCP/IP -> [your netw ork card name] i f there are multiple entries) and cli ck Properties (in 95/98/Me, you may also have to click the IP Addres s tab). Figure 2-6 Check Obtain an IP address aut omatically , check Obtain DNS serve r address automatical[...]

  • Страница 28

    Getting Started 24 CyberGuard SG PCI Appliances Install your CyberGuard SG Appliance in a Spare PC I Slot Power off you r PC and remove its c over. Select an unused PCI slot an d insert the CyberGuard SG a ppliance, then power on your PC. Install the Network Driver on your PC The CyberGua rd SG applianc e will be automatica lly detected and ha ve t[...]

  • Страница 29

    Getting Started 25 Next, you mus t modify your PC’s network settin gs to enable it to commun icate with the CyberGuard SG a ppliance. Click Start -> Settings -> Control Panel and doub le click Netwo rk Connections . Right click on Local Area Connectio n (or appropriat e network conn ection for the newly installed PCI a ppliance) and s elect[...]

  • Страница 30

    Getting Started 26 Set up the Password and Network Connection Settings Launch Inte rnet Explorer (or your pr eferred web brows er) and navigate to 192.168.0.1 . Figure 2-8 The Web Mana gement Console will display. Select Network Setup under Networking i n the left hand menu. You will be pro mpted to log in. Enter the initial user n ame and passwor [...]

  • Страница 31

    Getting Started 27 Note The purpose o f this step is to co nfigure the IP addres s for the Web Manag ement Console. For c onvenience, thi s will generally be a free IP address on your LAN. The Network Setup Connect ions page will di splay. Locate the Bridge / br0 port an d select Edit curren t settings under Configuratio n . If your LAN ha s an act[...]

  • Страница 32

    Getting Started 28 The first IP add ress will be used b y the Web Manageme nt Console. Figure 2-9 Enter this IP address and the subnet mask for your LAN into the IP Ad dress / Netmas k fields on t he Web Management Con sole’s Bridge IP Co nfiguration pag e. Ensure DHCP as signed is unch ecked . You may also enter one or more DN S Server(s) to b e[...]

  • Страница 33

    Getting Started 29 Figure 2-10 Enter the follow ing details: • IP address the second free IP ad dresses that is part of the subnet ra nge of your LAN. • Subnet mask is the subnet mas k of your LAN. • Default gatew ay is the IP address of your LAN’s de fault gateway. • Preferred DNS s erver is the IP address of the DNS se rver used by PC s[...]

  • Страница 34

    Getting Started 30 Alternatively, to set up your CyberGuard SG appliance and PC for auto-configuration: Before continu ing, ensure your DHC P server has two free leases. One wi ll be used for the Web Mana gement Consol e, the other for your P C. Note It is highly rec ommended that y ou reserve the IP ad dress to be used by the Web Management Consol[...]

  • Страница 35

    Getting Started 31 Next, configur e your PC to obta in its network settings automatically fr om your LAN DHCP server. Click Start -> Settings -> Control Panel and dou ble click Netwo rk Connections . Right click on Local Area Connec tion (or appropria te network con nection for the newly installed PCI a ppliance) and s elect Properties . Sele[...]

  • Страница 36

    Getting Started 32 Disabling the Reset Button on your Cy berGuard SG PCI Appliance For convenie nce, the CyberGuard SG appliance ships with the r ear panel Reset button enabled. T his allows the Cyber Guard SG applia nce’s configurati on to be reset to f actory defaults. From a netwo rk security stand point, it may be de sirable to disable the Re[...]

  • Страница 37

    Network Con nections 33 3. Network Conn ections This chap ter describes the Netw ork Setup section of the Web Managemen t Console. Here you can c onfigure each of your CyberGuard SG appliance’s network ports (Ethernet, se rial). Network po rts may be config ured for Internet connection, LAN connectio n, DMZ connectio n, remote dialin access or In[...]

  • Страница 38

    Network Con nections 34 LAN Unlike Intern et , DMZ or COM1 p orts, the LAN netw ork port has on ly one configura ble function, to connect to your lo cal area network. Network setting s for the LAN networ k port may be a ssigned staticall y, or dynamically by a DHCP server. Se lect Edit current settings to c ontinue. To assign network settings st at[...]

  • Страница 39

    Network Con nections 35 • It allo ws users to trans mit IPX/SPX over a VPN, something that is not supported by other VPN ven dors. • It allo ws users to trans mit DHCP to remote si tes this ensures that they are under better control. • It allo ws users to make u se of protocols that do not work we ll in a WAN environment (e.g. netbios ). The [...]

  • Страница 40

    Network Con nections 36 CyberGuard SG PCI applianc es can also con nect to the Internet i n this manner, but generally wil l be connecting directly to a LAN by selecting either Di rect Internet or Bridged Interne t . Physically connect m odem device The first st ep in connecting you r office network to the Internet is to physically attach your Cybe[...]

  • Страница 41

    Network Con nections 37 Use PPPoE if y our ISP uses us ername and passwo rd authenticat ion to access the Internet. Use DHCP if your ISP d oes not requir e a username and p assword, or your ISP instructed you to obtain an IP add ress dynamicall y. If your ISP has gi ven you an IP address or address range, you must Manually A ssign Settings . For PP[...]

  • Страница 42

    Network Con nections 38 Figure 3-4 To manually configure your In ternet network s ettings, enter the IP Address , Netmas k , Internet Gate way and DNS Server(s) supplied by your IS P. If you have been given a range of IP ad dresses, they ma y be added as Interface Aliases . F or details, see t he Advanced sec tion later in this c hapter. Reboot you[...]

  • Страница 43

    Network Con nections 39 When the Cybe rGuard SG applia nce is in bri dged mode, it will not be performing NAT/masque rading. PCs will typically use an IP ad dress on the netwo rk connected to the CyberGuar d SG applianc e’s Internet port as their gateway, rather than the CyberGuard SG appliance i tself. Failover Direct/Cable/ADSL Int ernet Refer [...]

  • Страница 44

    Network Con nections 40 Figure 3-5 The following table describes the fields and expla ins how to config ure the dial up connectio n to your ISP. Field Description Name of Inte rnet provider Enter the name of your ISP. Phone numb er(s) to dial Enter the numb er to dial to rea ch your ISP. If you are behind a PAB X that requires you to dial a prefi x[...]

  • Страница 45

    Network Con nections 41 Statically ass igned IP address The majority of ISPs dynamicall y assign an IP addres s to your connect ion when you dia lin. However some I SPs use pre-assign ed static address es. If your ISP has gi ven you a static IP ad dress, enter it in Lo cal IP Address and enter the address of the ISP gateway in Rem ote IP Addres s .[...]

  • Страница 46

    Network Con nections 42 Services on the DMZ Network Once you ha ve configured th e DMZ connect ion, you will also wan t to configure t he CyberGuard SG appliance to allow access to s ervices on the DMZ. Th ere are two methods of al lowing access . If the servers on the DMZ have pub lic IP addresse s, you need to ad d packet filtering rules to al lo[...]

  • Страница 47

    Network Con nections 43 DMZ as a backup/failover Internet connection See the Intern et Failover sec tion later in this chapte r. Load Balancing If you have enabled both the Internet and DMZ ports as primary In ternet conne ctions, enabling l oad balacing will s hare Internet traffic load over the two co nnections. To enable l oad balancing, ch eck [...]

  • Страница 48

    Network Con nections 44 Enable the primary connection for failover Set up your p rimary broadban d Internet connec tion as described in the Internet sect ion of this chapt er. From the Conne ctions menu, sel ect Edit failover p arameters from th e Configuratio n pull down box. The CyberGua rd SG applianc e determines wheth er an Internet c onnectio[...]

  • Страница 49

    Network Con nections 45 Note The Failover Cable/DSL/Direct/D ialout Internet option will not ap pear as an ava ilable Configuratio n until a primary In ternet connec tion has been confi gured. Refer to Enabl e the primary conn ection for failove r above for deta ils on enabling yo ur primary broad band Internet con nection for failover. Figure 3-7 [...]

  • Страница 50

    Network Con nections 46 Routes Additional routes The Additional routes feature al lows expert users t o add additional static routes for the CyberGuard SG appliance. These routes are additional to those created automatic ally by the CyberGuar d SG applianc e configuration sc ripts. Route management Your CyberGuar d SG applianc e can be configured t[...]

  • Страница 51

    Network Con nections 47 Advanced The following figure shows the a dvanced IP configu ration: Figure 3-8 Hostname The Hostname is a descripti ve name for the Cybe rGuard SG appli ance on the netwo rk. DNS Proxy The CyberGua rd SG applianc e can also be con figured to run as a Do main Name Server. The CyberGua rd SG applianc e acts as a DNS Pro xy an[...]

  • Страница 52

    Network Con nections 48 Figure 3-9 Network Address Translation ( NAT/masquerading) The CyberGua rd SG applianc e can utilize IP Masqu erading (a simple f orm of Network Address Trans lation, or NAT) where PCs on the lo cal network effec tively share a si ngle external IP add ress. Masquera ding allows insiders to get out, withou t allowing outsider[...]

  • Страница 53

    Network Con nections 49 Dynamic DNS A dynamic DNS service is u seful when you don’ t have a static Internet IP address , but need to remai n contactable by h osts on the Internet. Dynamic DNS servi ce providers such as T ZO.com and dyndns. org can regist er an Internet domain n ame that will p oint to your Internet IP address no matter h ow often[...]

  • Страница 54

    Network Con nections 50 Figure 3-10 Interface aliases Interface alia ses allow the CyberGu ard SG applianc e to respond to mu ltiple IP addresses on its LAN, Interne t and DMZ ports. F or Internet and DMZ aliased port s, you must also setu p appropriate Pa cket Filtering an d/or Port forward ing rules to allow traffic on th ese ports to be pas sed [...]

  • Страница 55

    Network Con nections 51 Change MAC address On rare occa sions it may be nec essary to change the Ethernet hard ware or MAC Address of your CyberGuard SG a ppliance. The MAC address i s a globally unique address an d is specific to a sin gle CyberGuard SG app liance. It is set by the manufacturer and should not no rmally be change d. However, you ma[...]

  • Страница 56

    Dialin Setup 52 4. Dialin Setu p CyberGuard SG appliance e nables remote and s ecure access to your office netwo rk. This chap ter shows how to se t up the dialin fe atures. Your CyberGuar d SG applianc e can be configured t o receive dialin calls from remote users/sites. Remote users are i ndividual users (e .g. telecommuters ) who connec t direct[...]

  • Страница 57

    Dialin Setup 53 Dialin Setup Once an anal og modem or ph one line has bee n attached, enable the CyberGuard SG appliance ’s COM port or interna l modem for dialin . Under Network ing , select Netw ork Setup . From the Connections men u, locate the COM port or Mode m on which you w ant to enable d ialin, and selec t Change to Dialin Access from th[...]

  • Страница 58

    Dialin Setup 54 The following table describes the fields on the Dial -In Setup page: Field Description IP Address fo r Dialin cli ents Dialin user s must be assigned local IP addresses to access the local n etwork. Specify a free IP address from your lo cal network that the connected di al-up client will use when connectin g to the CyberGuard S G a[...]

  • Страница 59

    Dialin Setup 55 Dialin User Accounts User accounts must be set up before remote users can dialinto the C yberGuard SG appliance . The following figu re shows the Dialin u ser account cre ation: Figure 4-2 The field o ptions in Add New Acc ount are shown in the following t able: Field Description Username Username f or dialin au thentication only. T[...]

  • Страница 60

    Dialin Setup 56 The following figure shows the u ser maintenance s creen: Figure 4-3 Account list As new dialin user accounts a re added, they are di splayed on the upd ated Account List. To modify a p assword for an exis ting account, s elect the account in the Account List an d enter the new pa ssword in the N ew Password and Confirm fields. C li[...]

  • Страница 61

    Dialin Setup 57 If the change i s unsuccessful , an error is reported as shown in the fo llowing figure: Figure 4-3 When you have f inished adding and modifying user a ccount details, you can configure other CyberGu ard SG applian ce functions by s electing the approp riate item from the Network or System menus. Yo u can also appl y packet filterin[...]

  • Страница 62

    Dialin Setup 58 Remote User Configuration Remote users can dialin using the CyberGuard SG app liance using the standard Windows Dia l-Up Networking so ftware. Set up a new dial-out conn ection on the remote PC to dial the phone number of the modem con nected to the Cyber Guard SG applian ce COM port. After the dialin is connected, users can access [...]

  • Страница 63

    Dialin Setup 59 Check the Log on to network and Enable software com pression checkbo xes. If your CyberGuard SG appliance d ialin server requires MSCHAP-2 authe ntication, you als o need to check the Require encr ypted password ch eckbox. Leave all other Advanced Options unch ecked. Select the TCP/IP network proto cols from the Allow ed network pro[...]

  • Страница 64

    Dialin Setup 60 Windows 2000/XP To configu re a remote access connection on a PC running Windows 2000/XP, click St art , Settings , Netw ork and Dial-up Co nnections and select Make New Connection. The network connection wiza rd will guide you th rough setting up a remote access connectio n: Figure 4-5 Click Next to c ontinue. Figure 4-6 Select Dia[...]

  • Страница 65

    Dialin Setup 61 Figure 4-7 Tick Use diali ng rules to enabl e you to select a country code and area code. This feature is u seful when using remote access in another area code or overseas. Click Next to c ontinue. Figure 4-8 Select the opti on Only for myself to make the con nection only availa ble for you. This is a security featu re that will not[...]

  • Страница 66

    62 Figure 4-9 Enter a name for the connecti on and click Finis h to complete the c onfiguration. By ticking Add a shortcut to my desk top, an icon for the remote conn ection will appear o n the deskto p. To launch the new connectio n, double-click o n the new icon on the desktop, and th e remote acces s login screen wi ll appear as in th e next fig[...]

  • Страница 67

    DHCP Server 63 5. DHCP Serve r Your CyberGuar d SG applianc e can act as a DHCP serve r for machines on your local network. To c onfigure your Cyber Guard SG appl iance as a DHCP se rver, you must se t a static IP ad dress and netmask o n the LAN or DM Z port (see the c hapter entitled Net work Connections ). DHCP Server Configuration The DHCP se r[...]

  • Страница 68

    DHCP Server 64 To configu re the DHCP Server, fol low these instruc tions. • Check the En able DHCP Server c heckbox. • Enter the Subn et and netmask of the IP addres ses to be distrib uted. • Enter the Gatew ay Address that the DHCP clients will be issued with . If this field is left blank, the CyberGuard SG app liance's IP ad dress wil[...]

  • Страница 69

    DHCP Server 65 Subnet List The Subnet Li st will display the status of the D HCP server. Interface Once a subn et has been conf igured, the port whi ch the IP address es will be issued from will be sho wn in the Interface fiel d. Subnet The value sh own in this field is the subnet for whi ch the IP address es distributed will use. Free Addresses Th[...]

  • Страница 70

    DHCP Server 66 Figure 5-3 For each IP a ddress that the DH CP server service s, the Status , Ho stname , MAC Address will b e shown. There is also be an option to Remove the a ddress and for reserved IP ad dresses, the add ed option to Unrese rve the address . Unreserving the address wil l allow it to be hand ed out to any host. The Status field wi[...]

  • Страница 71

    67 DHCP Proxy The DHCP pro xy allows the Cybe rGuard SG appl iance to forward DH CP requests from the LAN to an external server for resolution. Th is allows both stat ic and dynamic addresses to be given out on the LAN just as running a DHCP server would. To enable t his feature, specif y the server which is to receive the forwar ded requests in Re[...]

  • Страница 72

    Firewall 68 6. Firewall The CyberGua rd SG applianc e has a fully featured , stateful firewall . The firewall all ows you to control both incoming an d outgoing ac cess, so that PCs on the office net work can have tailored Internet access facilities and are s hielded from malici ous attacks. The firewall filters packets at th e network layer, dete [...]

  • Страница 73

    Firewall 69 Administration services The following figure shows the A dministration Servic es page: Figure 6-1 By default the CyberGuard SG appl iance runs a web administration server and a teln et service. Acce ss to these services can be restricted to specific int erfaces. For example , you may want to restrict acce ss to the Web Manage ment Conso[...]

  • Страница 74

    Firewall 70 CyberGuard SG Administrative Web Server Clicking t he CyberGuard SG W eb Server tab ta kes you to the p age to configure the administrative we b server. This web server is resp onsible for running the Web Management Console. Here you can c hange the port on which the server ru ns. Additional ly, the SG550, SG570 and SG575 mode ls suppor[...]

  • Страница 75

    Firewall 71 The Web Management Console is usually accessed on the default HTT P port (i.e. 80). After changing the web server po rt number, you mus t include the new port number in th e URL to acces s the pages. Fo r example, if you ch ange the web ad ministration to p ort number 88, the URL to access the web administratio n will be similar to : ht[...]

  • Страница 76

    Firewall 72 Once valid SSL certificates have been uploaded, th e CyberGuard SG a dministrative web server can op erate in one of on e of 3 different mode s. • B oth normal and SSL web access (bo th HTTP/HTTPS) • Di sable normal acc ess (HTTPS only) • Di sable SSL acc ess (HTTP only) To access the Web Management C onsole admini strative web pa[...]

  • Страница 77

    Firewall 73 Packet Filtering By default, yo ur CyberGuard S G appliance allows network traffic as shown in the following ta ble: You can configure your Cyb erGuard SG app liance with ad ditional filter rule s to allow or restrict net work traffic. These rules can match traffi c based on the s ource and desti nation address, th e incoming and outgo [...]

  • Страница 78

    Firewall 74 Before configu ring a filter or NAT r ule, you need to define the addres ses and service groups. Addresses Click the Addre sses tab. Any add resses tha t have already been defined will be displayed. Cli ck New to add a n ew address, or se lect an existing a ddress and click Modify . There is no need to add addresses for the CyberGuard S[...]

  • Страница 79

    Firewall 75 Service groups Click the Servi ce Groups tab. Any addresses that have already been defined will be displayed. Cli ck New to add a n ew service group s, or select an e xisting address and click Modif y . Adding or mod ifying a service grou p is shown in the following figure : Figure 6-5 A service gro up can be used t o group together s i[...]

  • Страница 80

    Firewall 76 Rules Once addres ses and services h ave been defined, you can create fi lter rules. Click Rules . Any ru les that have alrea dy been defin ed will be displayed. Cl ick New to ad d a new filter rule, or select an exis ting filter and cl ick Modify . Note The first matc hing rule will de termine the acti on for the network t raffic, so t[...]

  • Страница 81

    Firewall 77 The Incomin g Interface is th e interface/network port that the Cyber Guard SG applian ce received the network traffic on. The Outgoing I nterface is the i nterface/network p ort that the CyberGu ard SG appliance will route the n etwork traffic o ut. None will match network traffic tha t is destined for the CyberGuard SG appliance i tse[...]

  • Страница 82

    Firewall 78 Source Addre ss The address f rom which the req uest originated (for port forwardin g you may spec ify this to restric t the internal se rvice to be only acc essible from a sp ecific remote locati on) Destination Ad dress The destin ation address of the request, this is th e address th at will be altered Destination Se rvices The destin[...]

  • Страница 83

    Firewall 79 Source Addre ss The address f rom which the req uest originated (for masqueradin g this will typical ly be a private LAN or DMZ addres s) Outgoing Interfa ce The interface that receives th e request (for masqueradin g this will typical ly be private inter face, i.e. LAN or DMZ ) Destination Ad dress The destin ation address of the reque[...]

  • Страница 84

    Firewall 80 Warning Leaving Create a corresp onding ACCEPT fi rewall rule will a llow all traffic i nto and out from the spec ified private addre ss, i.e. the priva te address will no longer be shield ed by your CyberGu ard SG applian ce’s firewall. Otherwise, manu ally create filt er rules through Rules . Rules The Rules co nfiguration page allo[...]

  • Страница 85

    Firewall 81 Access Control and Content Filtering Inappropriate I nternet use during work hours ca n have a serious e ffect on producti vity. With the CyberGu ard SG Access Control web pro xy, you can contro l access to the Internet based on the type of web content being ac cessed ( Content ), a nd which user or workstation is accessing the In terne[...]

  • Страница 86

    Firewall 82 Users withou t web proxy acce ss will see a s creen similar to the figure below when attempting to access external w eb content. Figure 6-8 Note Each browse r on the LAN will now have to be set up to use the Cy berGuard SG appliance ’s web proxy.[...]

  • Страница 87

    Firewall 83 Browser setup The example given is for Micros oft Internet Explorer 6 . Instructions fo r other browsers should be similar, refer to their user documentatio n for details on u sing a web proxy. From the Interne t Options menu, s elect Tools . From the LA N Settings tab, select LAN Settings . Figure 6-9 Check Use a proxy server for your [...]

  • Страница 88

    Firewall 84 Figure 6-10 In the row lab eled HTTP , enter your CyberGuard SG appliance’s LAN IP address in the Proxy addre ss to use colu mn, and 81 in the Port column. Leave th e other rows bla nk. In the Except ions text box, enter your CyberGua rd SG applianc e’s LAN IP addres s. Click OK , OK and OK a gain. IP lists Internet acces s may be B[...]

  • Страница 89

    Firewall 85 Web lists Access will be denied to any web ad dress (URL) th at contains text e ntered in the Blo ck List , e.g. enterin g xxx will block any URL containi ng xxx , including http://xxx.exampl e.com or www.tes t.com/xxx/index.ht ml . The Allow List also enables access to URLs co ntaining the spe cified text. Figure 6-11[...]

  • Страница 90

    Firewall 86 Content Note Content filterin g is only availab le after your have regi stered your Cybe rGuard SG appliance and activated you r content filterin g license (sold separa tely) through www.cybergua rd.com/snapgea r/my/ . Content filterin g allows you to l imit the types of web based content ac cessed. Check Enabl e Content Filtering enter[...]

  • Страница 91

    Firewall 87 Reports Warning The correct time/date must be set on your CyberGua rd SG applianc e for reporting to work. The mos t effective way t o do this is by usin g an NTP time server. See the Time and Date sec tion in the chap ter entitled Advanced for detai ls. Blocked reque sts are submitted to the central content filtering se rver. The user [...]

  • Страница 92

    Firewall 88 ZoneAlarm This facility d enies Internet ac cess to machines your LAN that are no t running the ZoneAlarm P ro personal fire wall software. Run ning personal fir ewall software on e ach PC offers an e xtra layer of prot ection from applic ation level, operat ing system spec ific exploits and mal ware that abou nd on the Internet.[...]

  • Страница 93

    Intrusion Detec tion 89 7. Intrusion De tection Note Advanced I ntrusion Detection i s only available on SG575 models. Oth er models offer Basic Inst rusion Detection and Blocking only. The CyberGua rd SG applianc e provides two i ntrusion detection systems (IDS). The lightweight and simple to config ure Basic Intrusion De tection and Block ing , a[...]

  • Страница 94

    Intrusion Detec tion 90 The benefits of us ing an IDS External attac kers attempting to access desktops and servers on the private network from the Intern et are the large st source of intrusi ons. Attackers exploiting known flaws in operating s ystems, networkin g software and app lications, compromise many systems through the Inte rnet. Generally[...]

  • Страница 95

    Intrusion Detec tion 91 Basic Intrusion Detection and Block ing The following figure shows the I ntrusion Detect ion and Blocking (I DB) configuratio n: Figure 7-1 IDB operates by offering a numbe r of services to th e outside world th at are monitored f or connectio n attempts. Remote mac hines attempt ing to connect to these services generate a s[...]

  • Страница 96

    Intrusion Detec tion 92 Several shortc ut buttons also provide pre-defined li sts of services to mo nitor. The basic button inst alls a bare bones s election of ports t o monitor while sti ll providing sufficie nt coverage to d etect many intru der scans. The standard option exten ds this covera ge by introducin g additional monit ored ports for ea[...]

  • Страница 97

    Intrusion Detec tion 93 Advanced Intrusion Detection Advanced I ntrusion Detection i s based on the tried a nd tested Snort v2 IDS. It is able to detect attack s by matching in coming network d ata against defin ed patterns or rul es. Advanced Intru sion Detection u tilizes a combination of methods to pe rform extensive IDS analysis on the fly. The[...]

  • Страница 98

    Intrusion Detec tion 94 Advanced Intrusion De tection configuration Figure 7-2 Check Enabl ed , and select th e Interface /networ k port to monitor. This will typical ly be Internet , or po ssibly DMZ . Checking Us e less memor y will result in sl ower signature dete ction throughput , but may be necess ary if your CyberGuard SG applianc e is confi[...]

  • Страница 99

    Intrusion Detec tion 95 Note The more rule sets that are selec ted, the greater lo ad is imposed on the CyberGuard SG appliance . Therefore a cons ervative rather tha n aggressive appro ach to adding rule sets should be followed initially. Figure 7-3 Check Log resu lts to database t o use a remote an alysis server. Note If Log results to database i[...]

  • Страница 100

    Intrusion Detec tion 96 Setting up the analysis server Specific o pen source tools a re required to be i nstalled on the Anal ysis server for a straightforwa rd evaluation. The analysis s erver will typically be a Pentium IV level system running L inux ( Red Hat , Debian , etc.) wi th sufficient memor y and disk capa city to run a data base and web[...]

  • Страница 101

    97 PHPlot graph library for chart s written in PHP http://www.ph plot.com/ ACID analysis console http://www.an drew.cmu.edu/~ rdanyliw/snort/ac id-0.9.6b23.tar.gz Snort will be running as an IDS sensor on the CyberGuard SG ap pliance and log ging to the MySQL da tabase on the an alysis server. The f ollowing are detai led documents tha t aid in ins[...]

  • Страница 102

    Web Cache 98 8. W eb Cache Note The web cac he is only avail able on SG575 models . Web browser s running on PCs o n your LAN can use the CyberGuard SG appliance ’s proxy-cache server to reduce Internet access ti me and bandwidth consumption. A proxy-cach e server implemen ts Internet obj ect caching. This is a way to store requested I nternet ob[...]

  • Страница 103

    Web Cache 99 Web Cache Setup Select Web ca che under Networking . A p age similar to the fol lowing will be dis played. Figure 8-1 Check Enabl e to enable the web cache. Cache size Select the amoun t of memory (RA M) on the Cybe rGuard SG appli ance to be reserved for caching In ternet objects. The maximum amount o f memory you can safely reserve w[...]

  • Страница 104

    Web Cache 100 Network Shares Typically, yo u will find the Cyber Guard SG applian ce’s web cach e most useful wh en utilizing a Ne twork Share for a dditional storage s pace. The CyberGu ard SG applian ce is not equipped w ith a hard disk of its own, so is qui te limited in terms o f the amount of Internet obj ects it can cache. A network sh are [...]

  • Страница 105

    Web Cache 101 Create the network share Figure 8-2 Launch Windo ws Explorer ( Start -> (All) Progra ms -> Accessories -> Windows Explorer ) an d open up a folde r or drive to dedicate a s a network share for use by the CyberGuard SG appliance’s web cache. Begin by disa bling simple file sharing for this fo lder. From the Tools menu, s ele[...]

  • Страница 106

    Web Cache 102 Set the CyberGuard SG appliance to use the network share Check Use s hare . Enter the lo cation of the network share in the forma t: HOSTNAMEsharename Figure 8-3 Enter the ma ximum size for th e cache in Cache size . Warning Cache size s hould not be more than 90% of the space available to the network share, e.g. if you share d a d[...]

  • Страница 107

    Web Cache 103 Peers The CyberGua rd SG applianc e’s web cache can be configured to share cached o bjects with, and acce ss objects cach ed by, other web c aches. Web cache s communicate usi ng the Internet Cac he Protocol (ICP). IC P is used to exchange hin ts about the exist ence of URLs in ne ighbour caches . Caches exchange ICP queries an d re[...]

  • Страница 108

    Virtual Private Networking 104 9. V irtual Priv ate Networking Virtual Private Networking (VPN) en ables two o r more locations to communicate securel y and effecti vely, usually acros s a public netwo rk (e.g. the Internet) and has the fo llowing key traits: • Privacy - no o ne else can see what you are com municating • Authentication - you kn[...]

  • Страница 109

    Virtual Private Networking 105 Figure 9-1 PPTP Client Setup The PPTP cli ent enables the Cyb erGuard SG appli ance to establi sh a VPN to a remote network runn ing a PPTP server (u sually a Micros oft Windows server). Select PPTP VPN Client from the VPN menu and crea te a new VPN conn ection by entering: • A desc riptive name for the VPN connect [...]

  • Страница 110

    Virtual Private Networking 106 If the remote VPN is already up a nd running, chec k Start Now to es tablish the connectio n immediately as sho wn in the following fi gure: Figure 9-2 The CyberGua rd SG applianc e supports multiple VPN c lient connec tions. Additional connectio ns can be added by foll owing these st eps. To set a VPN con nection as [...]

  • Страница 111

    Virtual Private Networking 107 PPTP Server Setup The CyberGua rd SG applianc e includes a PPTP Se rver, a virtual pri vate network serve r that suppor ts up to forty simulta neous VPN tunnel s (depending on your CyberGuard SG appliance model). The CyberGua rd SG PPTP S erver allows remote Windows cli ents to securely conn ect to the local network. [...]

  • Страница 112

    Virtual Private Networking 108 Enable and configure the PPTP VPN server The following figure shows the P PTP server setup: Figure 9-3 To enable and configure your Cyb erGuard SG app liance’s VPN se rver, select PPTP VPN Server from th e VPN menu on the Web Management Cons ole web adminis tration pages.[...]

  • Страница 113

    Virtual Private Networking 109 The following table describes the fields in the VPN Setup screen a nd the options available whe n enabling and c onfiguring VPN acc ess. Field Description Enable PPTP Server Check this box to enable PPTP c onnections to be established to your CyberGu ard SG applian ce. IP Addresses for the Tunnel End Points Enter the [...]

  • Страница 114

    Virtual Private Networking 110 Configuring user ac counts for VPN server After setting up the VPN server, select Continue an d to show the PPTP VPN Server Accounts scree n as shown in the following figure: Figure 9-4 If you selected None as the Auth entication Schem e , setup is now c omplete. Skip ahead to Configuring th e remote VPN clien t . Oth[...]

  • Страница 115

    Virtual Private Networking 111 The field o ptions in the Add New Account are det ailed in the foll owing table. Field Description Username Username f or VPN authe ntication only. Th e name selecte d is case- sensitive (e .g. Jimsmith is di fferent to jimsmith ). Username can be the same as, or different to, the name set for dia lin access. Windows [...]

  • Страница 116

    Virtual Private Networking 112 Configuring the r emote VPN client The remote VPN c lients can now b e configured to s ecurely access the local network. You need to enter the a PPTP Acc ount username an d password that yo u added in the previous secti on, and the IP addr ess of the CyberGu ard SG PPTP VPN server. The CyberGua rd SG PPTP VPN ser ver [...]

  • Страница 117

    Virtual Private Networking 113 Windows 95, Windows 98 and Windows Me From the Dia l-Up Networkin g folder, double-c lick Make New Conne ction . Type CyberGuard SG appliance or a similar descript ive name for your new VPN connection. From the Sel ect a device dro p-down menu, sel ect the Microsoft V PN Adapter and c lick Next . Enter the PPTP IP add[...]

  • Страница 118

    Virtual Private Networking 114 Click TCP/IP S ettings . Confirm th at the Server Assig ned IP Address , Server Assigned Nam e Server Address , Use IP Header C ompression and Use Default Gateway on Re mote Netw ork are all selecte d and click OK . Figure 9-7 Your VPN clie nt is now set up a nd ready to connec t. Windows 2000 Log in as A dministrator[...]

  • Страница 119

    Virtual Private Networking 115 Double-click Mak e New Connectio n from the main wi ndows. Click Next to show the Network Co nnection Type windo w: Figure 9-9 Select Conne ct to a private ne twork through the Int ernet and click N ext . This displays the Destination Address window: Figure 9-10 Enter the Cyb erGuard SG PPTP se rver’s IP addre ss or[...]

  • Страница 120

    Virtual Private Networking 116 Figure 9-11 Enter an appr opriate name for your connection and click Finish . Your VPN clie nt is now set up a nd ready to connec t. Windows XP Log in as A dministrator or with Administrator p rivileges. From the Start menu, sele ct Settings and then Network Connections . Click Create New Connection from the Network T[...]

  • Страница 121

    Virtual Private Networking 117 Connecting the r emote VPN client Verify that you are connected to the Internet, or have s et up your VPN c onnection to automatically es tablish an initi al Internet connect ion. Select the con nection for the Cybe rGuard SG app liance VPN. Enter a usern ame and passwo rd added in the Con figuring user ac counts for [...]

  • Страница 122

    Virtual Private Networking 118 IPSec Setup CyberGuard SG appliance to CyberGuard SG appliance There are man y possible config urations in crea ting an IPSec tunnel. The most common and simplest wi ll be described in this section. Add itional options will also be explain ed throughout this example, should it become neces sary to configure th e tunne[...]

  • Страница 123

    Virtual Private Networking 119 Figure 9-13 Check the En able IPSec chec kbox. Select the t ype of IPSec endpo int the CyberGuar d SG appliance has on its Intern et port. The CyberGua rd SG applianc e can either have a s tatic IP , dynamic IP or DNS hostname ad dress . If a dynamic DNS service is to be used or the re is a DNS hostname that resolves [...]

  • Страница 124

    Virtual Private Networking 120 Warning It may be nec essary to reduce t he MTU of the IPSec interface if larg e packets of data are not being tr ansmitted. Configure a tunnel to connect to the headquarters office To create an IP Sec tunnel, cl ick the IPSec link on t he left side of th e Web Management Console web administration pages and then c li[...]

  • Страница 125

    Virtual Private Networking 121 Select the I nternet port the IPSec t unnel is to go ou t on. The options will depend on what is currentl y configured on the Cybe rGuard SG app liance. For the vas t majority of setu ps, this will b e the default gatew ay interface to the Internet. In this e xample, select th e default gatew ay interface op tion. Not[...]

  • Страница 126

    Virtual Private Networking 122 • x.509 Certifica tes are used to authenticate the remote party again st a Certificate Authority's (CA) c ertificate. The CA certificate must have signed the lo cal certificates that are used for tunn el authentication. Certificates need to be uploaded to the CyberGuard SG ap pliance bef ore a tunnel can be con[...]

  • Страница 127

    Virtual Private Networking 123 In this exampl e, select the be a rou te to the remote p arty option. Click the Conti nue button to c onfigure the Local Endpoint Settings . Local endpoint sett ings Figure 9-15 Leave the Initiate the tunne l from this end ch eckbox checked.[...]

  • Страница 128

    Virtual Private Networking 124 Note This optio n will not be availa ble when the Cyber Guard SG applia nce has a static I P address an d the remote party h as a dynamic IP ad dress. Enter the Requ ired Endpoint ID of the CyberGuard SG a ppliance. This ID is used to authentica te the CyberGuard SG a ppliance to the remote party. It is required beca [...]

  • Страница 129

    Virtual Private Networking 125 Other options The following options will bec ome available on this page dependin g on what has b een configured previously: • The next IP a ddress on the inte rface the tunnel i s to go on field is the next gateway IP ad dress or nextho p along the previou sly selected IPSec interface. Thi s field will b ecome avail[...]

  • Страница 130

    Virtual Private Networking 126 o des-md5-96 uses the encryptio n transform follo wing the DES s tandard in Cipher- Block-Chainin g mode with authe ntication provided by HMAC and MD5 (96-bit authentica tor). It uses a 56-bi t 3DES encryption k ey and a 128-bit HMAC-MD5 authentica tion key. o des-sha1-96 uses the encrypti on transform foll owing the [...]

  • Страница 131

    Virtual Private Networking 127 Other options The following options will bec ome available on this page dependin g on what has b een configured previously: • The remote pa rty's DNS hostnam e address field is the DNS hostnam e address of the Internet i nterface of the remo te party. This op tion will become a vailable if the remote par ty has[...]

  • Страница 132

    Virtual Private Networking 128 TCGID [Siemens] Trust C enter Global ID The attribute/val ue pairs must b e of the form attrib ute=value and be separated by commas. For e xample : C=US, ST= Illinois, L=Chic ago, O=CyberGuard , OU=Sales, CN =SG550. It mus t match exactly the Distinguished Na me of the remote party's l ocal certificate to success[...]

  • Страница 133

    Virtual Private Networking 129 Phase 1 settings Figure 9-17 Set the length o f time before Phas e 1 is renego tiated in the Key lifetim e (m) field. The length may var y between 1 and 1440 minutes. Sho rter values offer h igher security at the expense of th e computational overhead require d to calculate new ke ys. For most applicatio ns 60 minutes[...]

  • Страница 134

    Virtual Private Networking 130 Warning The secret mus t be entered ide ntically at each end of the tunnel. Th e tunnel will fail to connect if the secret is not ide ntical at both ends. T he secret is a h ighly sensitive pie ce of information. It is essential to k eep this information confidential. Co mmunications ove r the IPSec tun nel may be com[...]

  • Страница 135

    Virtual Private Networking 131 Phase 2 settings page Figure 9-18 Set the length o f time before Phas e 2 is renego tiated in the Key lifetim e (m) field. The length may var y between 1 and 1440 minutes. For most applicati ons 60 minutes is recommende d. In this example, l eave the Key Li fetime as the defa ult value of 60 minutes. Select a Pha se 2[...]

  • Страница 136

    Virtual Private Networking 132 Other options The following options will bec ome available on this page dependin g on what has b een configured previously: A separate s ection may appea r to enter multiple L ocal Networks o r Remote Networks or both. In the case where both l ocal and remote pa rties have been co nfigured to have multiple subne ts be[...]

  • Страница 137

    Virtual Private Networking 133 Check the En able IPSec chec kbox. Select the t ype of IPSec endpo int the CyberGuar d SG appliance has on its Intern et interface. In this example, sel ect static IP addres s . Leave the Set the IPSec MTU to b e checkbo x unchecked. Click the Appl y button to save the changes. Configuring a tunnel t o accept connecti[...]

  • Страница 138

    Virtual Private Networking 134 Select the t ype of routing the tu nnel will be used as. In this example, se lect the be a route to the rem ote party option. Click the Conti nue button to c onfigure the Local Endpoint Settings . Local endpoint sett ings page Leave the Optional Endpoin t ID field blank in this example. It is optional becau se the Cyb[...]

  • Страница 139

    Virtual Private Networking 135 Enter a secret in the Preshared S ecret field. This must remain confi dential. In this example, ent er the Preshared Secret used at the branch office Cybe rGuard SG appliance , which was: This sec ret must be kept c onfidential. Select a Pha se 1 Proposal . In this example, sele ct the 3DES-SHA-Dif fie Hellman Group 2[...]

  • Страница 140

    Virtual Private Networking 136 Tunnel List Figure 9-20 Connection Once a tunne l has been confi gured, an entry with the tunnel name in the Connection field will b e shown. Note You may mod ify a tunnel’s settin gs by clickin g on its connection n ame. Click Connecti on to sort the tunn el list alphabet ically by connecti on name. Remote party Th[...]

  • Страница 141

    Virtual Private Networking 137 Click Remo te Party to sort the tu nnel list by the remote party ID/name/add ress. Status Tunnels th at use Automatic Key ing (IKE) will hav e one of four state s in the Status fie ld. The states include the followi ng: • Down indicate s that the tunnel is not being neg otiated. This may be d ue to the following rea[...]

  • Страница 142

    Virtual Private Networking 138 Figure 9-21 Inte rfaces Loaded li sts the CyberGuard SG a ppliance's interfaces which IPSec will use. Phas e 2 Ciphers Loade d lists the encrypti on ciphers that tunn els can be con figured with for Phase 2 n egotiations. Th is will include DES, 3DES and AES. Phas e 2 Hashes Load ed lists the authen tication hash[...]

  • Страница 143

    Virtual Private Networking 139 Diffie Hellman Groups Loaded lists the Di ffie Hellman grou ps and Oakley group extensions tha t can be configu red for both Phase 1 and Phase 2 n egotiations. Conn ection Details li sts an overview of the tunnel's c onfiguration. It contai ns the following in formation: • An outl ine of the tunnel' s netw[...]

  • Страница 144

    Virtual Private Networking 140 • The Pha se 2 proposal wanted. The line ESP algorithms w anted reads 3_000-2; pfsgroup=2 . Th e 3_000 refers to cipher 3 DES (where 3DE S has an id of 3, s ee Phase 2 Ciph ers Loaded), the 2 refers to hash SHA1 or SHA (where SH A1 has an id of 2, see Phase 2 Hashes Loa ded) and pfsgroup=2 refers t o the Diffie Hell[...]

  • Страница 145

    Virtual Private Networking 141 Certificate Management x.509 Certific ates can be use d to authenticate IPSec endpoints duri ng tunnel negoti ation for Automatic Keying. The other methods are Pres hared Secrets and RSA Dig ital Signatures . Certificates need to be uploade d to the CyberGuard SG appliance be fore they can be used in a t unnel. Certif[...]

  • Страница 146

    Virtual Private Networking 142 To extract the local private key c ertificate type, ent er the following at the Windows command pro mpt: openssl pkc s12 -nomacver -n ocerts -in pkcs1 2_file -out local_ private_key.pem .. where pksc12_file is the PK CS#12 file issu ed by the CA and l ocal_private_ke y.pem is the local private key certific ate to be u[...]

  • Страница 147

    Virtual Private Networking 143 4. Create the se lf-signed root CA c ertificate: openssl req -config openssl.cnf -new -x509 -keyout rootCA/ca.key -out rootCA/ca.pem -days DAYS_VALID -nodes .. where DAYS _VALID is the n umber of days the root CA is valid fo r. Remove the –n odes option if you want to use a password to secure the CA key. For each ce[...]

  • Страница 148

    Virtual Private Networking 144 Adding certificates To add certi ficates to the Cyber Guard SG applia nce, click the IPSe c link on the le ft side of the Web Manag ement Consol e web administra tion pages and th en click the Certificate L ists tab at the top of the window. A wind ow similar to the following will be displayed. Figure 9-22[...]

  • Страница 149

    Virtual Private Networking 145 Adding a CA or CRL c ertificate Click the Add n ew CA or CRL Certi ficate tab. A wind ow similar to the following will be displayed. Figure 9-23 Select wheth er a Certificate Auth ority or Certifica te Revocation Lis t certificate is to be uploaded fr om the Certificate T ype pull down men u. Enter the Certi ficate Au[...]

  • Страница 150

    Virtual Private Networking 146 Adding a local certificat e 1 Click the Add new Local Cert ificate tab. A win dow similar to th e following will be displayed. Figure 9-24 Enter the Loc al Public Key c ertificate in the Local Certificate field. Click the Brow se button to se lect the file from the host computer. Certificates have ti me durations in w[...]

  • Страница 151

    Virtual Private Networking 147 Figure 9-25 The certificate names will be di splayed under the app ropriate certific ate type. Clicking the Delete bu tton deletes the c ertificate from the Cyber Guard SG appl iance. Troubleshooting • Symptom: IPSe c is not running and is enabled. Possible Caus e: The CyberGuard SG applianc e has not been as signed[...]

  • Страница 152

    Virtual Private Networking 148 The remote pa rty does not have a tunnel config ured correctly bec ause: o The tu nnel has not been configured. o The Pha se 1 proposal s do not match. o The s ecrets do not matc h. o The RSA key signatures ha ve been incorrec tly configured. o The Dis tinguished Name o f the remote party ha s not be configu red corre[...]

  • Страница 153

    Virtual Private Networking 149 Solution: Co nfirm that the remot e party has IPSe c and the tunnel enabled and has an Internet IP ad dress. Ensure th at the CyberGuard SG appliance has rekeying enabled. If the tunnel still go es down after a per iod of time, it may be d ue to the CyberGuard SG appliance a nd remote party not r ecognising the need t[...]

  • Страница 154

    Virtual Private Networking 150 Set up LMHOST files on remote h osts to resol ve names to IP adress es. • Symptom: Tun nel comes up b ut the application doe s not work acros s the tunnel. Possible cau se: There may be a f irewall devic e blocking IPSec packets. The MTU of t he IPSec interfac e may be too la rge. The applic ation uses broadc asts p[...]

  • Страница 155

    Virtual Private Networking 151 GRE The GRE con figuration of the CyberGuard SG ap pliance allows you t o build GRE tunne ls to other devic es that support t he Generic Routi ng Encapsulating p rotocol. You can build GRE tunnels to other CyberGuard SG appliance s that support GRE, or to other de vices such as Ci sco equipment. GRE tunnels are useful[...]

  • Страница 156

    Virtual Private Networking 152 On the Brisba ne end, click GRE Tunnels from the VPN me nu. Enter the following details: GRE Tunnel Na me: to_slough Remote Ext ernal Address: 195.45.67.8 Local Externa l Address: 203.23.4 5.6 Local Interna l Address: 192.168.1.1 Click Add . Cli ck Add/Remove under Rem ote Networks and enter: Rem ote subnet/netma sk: [...]

  • Страница 157

    Virtual Private Networking 153 Click Add . Cli ck Add/Remove under Rem ote Networks and enter: Rem ote subnet/netma sk: 192.168.1.0 / 255.255.255.0 Click Add . The GRE tunnel bet ween the two netwo rks is now set u p. Tunnels may be Disable d, Dele te d or Edit ed from t he main table of GRE tunnels. A few further things of note are: GRE Tunnel Na [...]

  • Страница 158

    Virtual Private Networking 154 Enter the IP Ad dress / Netmask of 10.254.0.1 / 255.255.255.255 at the Slough end, and 10.254.0.2 / 255.255.255.255 at the Brisbane end. Click Apply and reboot t he unit if prompted to do so. Note The alias IP addresses are es sentially dummy addr esses and can be anything that does not conflict with your existing n e[...]

  • Страница 159

    Virtual Private Networking 155 Create the GRE tu nnel. Selec t GRE Tunnels from th e left hand menu . For the Slough end enter the IP addresses be low. Leave Local In ternal Address bla nk, and check Place on Ethe rnet Bridge . Figure 9-29 GRE Tunnel Na me: to_bris Remote Ext ernal Address: 1 0.254.0.2 Local Externa l Address: 10.254.0 .1 Local Int[...]

  • Страница 160

    Virtual Private Networking 156 Troubleshooting • Symptom: Can not ping a hos t on the other sid e of the GRE tunnel . Ensure that t here is a route s et up on the GRE tu nnel to the remote n etwork. Ensure that t here is a route on the remote GRE en dpoint to the netw ork at this end of the GRE tunn el. Check that the re is a GRE interfa ce creat[...]

  • Страница 161

    Virtual Private Networking 157 L2TP The Layer Two T unneling Proto col was develop ed by Microsoft an d Cisco as a mult i- purpose ne twork transport prot ocol. Many DSL ISP s use L2TP over AT M to create tu nnels across th e Internet backbo ne. The CyberGua rd SG L2TP impleme ntation can only run L2TP over Ethe rnet since it doesn't have an A[...]

  • Страница 162

    Virtual Private Networking 158 L2TP server The L2TP Server runs in a simil ar way to the PPT P Server. A range of IP addresse s is allocated, and then username an d password pairs are created to all ow users to log on. Note To increas e security, L2TP VPN co nnections from Windows PCs are also run throug h an IPSec tunnel . This means an IP Sec con[...]

  • Страница 163

    System 159 10. Sy stem Date and Time Set date and time If you have a Javascript enabl ed web browser, you will be able to c lick the top Set Date and Time bu tton to synchron ize the time on the CyberGuard SG ap pliance with t hat of your PC. Alternately, you can manuall y set the Year , Month , Date , Hour and Minute u sing the selection boxes to [...]

  • Страница 164

    System 160 Figure 10-1 Locality Select your re gion then selec t your location within said region. The system clock wi ll subsequen tly show local time. Without setti ng this, the system cl ock will show UTP. Setting a time zone is only rele vant if you are syn chronizing with an NTP server or you r CyberGuard SG appliance h as a real time clo ck. [...]

  • Страница 165

    System 161 Users User accounts on a CyberGuard S G appliance all ow administrative d uties to be spread amongst a nu mber of different p eople accordin g to their level of comp etence and trus t. Each user on t he CyberGuard SG a ppliance has a password that th ey use to authentica te themselves to the unit's web pages. They also have a number[...]

  • Страница 166

    System 162 Administration A user with th e administratio n access control is permitted to edit a ny configuration fi le on the CyberGuar d SG applianc e. It should be given to trusted users who are permitted to configure a nd reconfigure the u nit. Diagnostic The diagno stic access control a llows a user to vie w status reports, th e technical supp[...]

  • Страница 167

    System 163 Internet access (via acc ess controls) A user with th is access control is permitted contro lled access to th e web through the CyberGuard SG appliance’s web proxy. See the Access control an d content filtering section in the c hapter entitled F irewall for details on c ontrolling LAN us ers’ web acce ss. Password The CyberGua rd SG [...]

  • Страница 168

    System 164 Figure 10-3 Network tests Basic network diagnostic tests ( ping , traceroute ) can b e accessed by c licking the Network Tests tab at the top of t he Diagnostics page .[...]

  • Страница 169

    System 165 Advanced The options on the Advanced page are intended for networ k administrators and advanced users only . Warning Altering the ad vanced configu ration settings may r ender your CyberGua rd SG applian ce inoperable. System log The system lo g contains debuggi ng information that may be useful i n determining whether all se rvices for [...]

  • Страница 170

    System 166 You may also upload addition al configuration fi les from your compu ter to the CyberGu ard SG appliance under Upload fil e . To backup to an encrypted fil e, click save and rest ore, enter a passw ord and click Save under Save C onfiguration. T o restore from this file, browse for the b ackup configura tion file, enter t he password you[...]

  • Страница 171

    System 167 The majority of Linux users w ill already have a T FTP server inst alled as part of their distri bution, which must be configured an d running. 3. In the Web Manage ment Console web administration pages, click Adva nced then Flash Upgrade . Enter the server IP Address (i.e. PC w ith the TFTP ser ver and binary image ) and the binary imag[...]

  • Страница 172

    168 Technical Support The System me nu contains a n option detailin g support information fo r your CyberGu ard SG appliance . This page provides basic troub leshooting tips , contact details for CyberG uard SG technical supp ort, and links to the CyberGuard SG Kno wledge Base ( http://www.c yberguard.com/sna pgear/knowledg ebase.html ) as shown in[...]

  • Страница 173

    Appendix A – IP Address Ran ges 169 Appendix A – IP A ddress Range s IP ranges are fields that allo w multiple IP addres ses to be spec ified using a short hand notation. F our distinct forms of ran ge are acceptabl e: 1. a.b.c.d 2. a.b.c.d-e 3. a.b.c.d-e.f.g. h 4. a.b.c.d/e The first is simp ly a single IP ad dress. Thus w here ever a range is[...]

  • Страница 174

    Appendix B – Terminology 170 Appendix B – T erminology This section e xplains terms that ar e commonly used in this document. Term Meaning ADSL Asymmetric Dig ital Subscriber L ine. A technology all owing high-sp eed data transfer o ver existing telep hone lines. ADSL sup ports data rates between 1.5 and 9 Mb/s when receiving dat a and between [...]

  • Страница 175

    Appendix B – Terminology 171 Certificates A digitally s igned statement tha t contains infor mation about an ent ity and the enti ty's public key, thus binding these two pieces of informatio n together. A c ertificate is iss ued by a trusted organi zation (or entity) called a Ce rtification Authority (CA ) after the CA ha s verified that the[...]

  • Страница 176

    Appendix B – Terminology 172 Extranet A private netwo rk that uses th e public Internet to securely share business in formation and opera tions with suppli ers, vendors, partn ers, customers, or o ther businesses . Extranets add extern al parties to a company's intr anet. Failover A method for detecting that th e main Internet c onnection (u[...]

  • Страница 177

    Appendix B – Terminology 173 IPSec tunnel The IPSec conn ection to secur ely link two private p arties across insecure a nd public channels . IPSec with Dynamic DNS Dynamic DNS c an be run on the IPSec endpoints thereby creating an IPSec tunnel using dynamic IP ad dresses. IKE IKE is a profile of ISAKM P that is for use b y IPsec. It is often c a[...]

  • Страница 178

    Appendix B – Terminology 174 NAT Network Add ress Translatio n. The translatio n of an IP address used on one network to an IP address on another networ k. Masqueradin g is one particu lar form of NAT. Net mask The way tha t computers kno w which part of a TCP/IP address r efers to the network, and which part refe rs to the host range . NTP Netwo[...]

  • Страница 179

    Appendix B – Terminology 175 Router A network devi ce that moves pac kets of data. A route r differs from hubs and swit ches because i t is "intelligent" a nd can route packe ts to their final destination. RSA Digital Signatures A public/pri vate RSA key pair used for authenti cation. The CyberGua rd SG appliance can generate the se key[...]

  • Страница 180

    176 x.509 Certific ates An x.509 certif icate includes the format of the ce rtificate, the serial number of the certificate, the alg orithm used to sig n the certificate , the name of the CA t hat issued the c ertificate, the name a nd public ke y of the entity requ esting the certi ficate, and the CA's s ignature.x.509 certificates are used t[...]

  • Страница 181

    Appendix C – System Log 177 Appendix C – System Log Access Logging It is possibl e to log any traffic that arrives at or tra verses the Cyber Guard SG applia nce. The only logg ing that is enab led by default is to take note of pac kets that were dro pped. While it is pos sible to specific ally log exactly whic h rule led to suc h a drop, this [...]

  • Страница 182

    Appendix C – System Log 178 Commonly us ed interfaces ar e: eth0 the LAN port eth1 the WAN/Internet po rt ppp X e.g. ppp0 or ppp1 – a PPP session ipsec X e.g. ipsec0 , an IPSec interface The firewall rules deny all pac kets arriving from th e WAN port by defa ult. There are a few ports open to deal with traffic s uch as DHCP, VPN servic es and [...]

  • Страница 183

    Appendix C – System Log 179 A typical Defa ult Deny: will thus look similar to the following: Mar 27 09:31:19 2003 klogd: Default deny: IN=eth1 OUT=MAC=00:d0:cf:00:ff:01:00:e0:29:65:af:e9:08:00 SRC=140.103.74.181 DST=12.16.16.36 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=46341 DF PROTO=TCP SPT=46111 DPT=139 WINDOW=5840 RES=0x00 SYN URGP=0 That is, a p a[...]

  • Страница 184

    Appendix C – System Log 180 To log permit ted inbound acc ess requests to se rvices hosted on the CyberGuard SG appliance , the rule should lo ok something lik e this: iptables -I INPUT -j LOG -p tcp --syn -s <X.X.X.X/XX> -d <Y.Y.Y.Y/YY> --dport <Z> --log-prefix <prefix> This will log any TCP ( -p tcp ) se ssion initiation[...]

  • Страница 185

    Appendix C – System Log 181 For example, to log all inbound requests from the IP address 5.6 .7.8 to the mail se rver (port 25) on t he machine flubber on the L AN with address 192.168.1.1: iptables -I FORWARD -j LOG -p tcp --syn -s 5.6.7.8/32 -d 192.168.1.1 --dport 25 --log-prefix "Mail for flubber: " This will result in log output so [...]

  • Страница 186

    Appendix C – System Log 182 If we just wan ted to look at tra ffic that went out to the IPSec world, we could use: iptables -I FORWARD -j LOG -o ipsec+ Clearly there a re many more combi nations poss ible. It is therefo re possible to write rul es that log inboun d and outbound tra ffic, or to construc t several rules that differentiat e between [...]

  • Страница 187

    Appendix C – System Log 183 Administrative Access Logging When a user tr ies to log onto th e Web Manageme nt Console web ad ministration pages , one of the foll owing log message s appears: Jan 30 03:00:18 2000 boa: Authentication successful for root from 10.0.0.2 Jan 30 03:00:14 2000 boa: Authentication attempt failed for root from 10.0.0.2 Thi[...]

  • Страница 188

    Appendix D – Firmware Upgra de Practices and Precautions 184 Appendix D – Firmware Upgrade Practices a nd Precautions Prior performin g any firmware up grade, it is impo rtant that you save a back up of yo ur existing con figuration ( Advanc ed -> Store/resto re all configuratio n files ) to a loc al file. While we mak e every effort to e ns[...]

  • Страница 189

    Appendix D – Firmware Upgra de Practices and Precautions 185 If you encoun ter any problems, r eset the device to its factory default settings and reconfigure . You may wish to u se your backed up old configuratio n as a guide in t his process, b ut do not restore it directly. If you are upgr ading a device tha t you do not normally ha ve physica[...]